is a sub-project of Atomic Threat Coverage framework, related to Mitigation techniques of all kinds.
The project is following "actionable analytics" paradigm, inherited from parent project. We are detailing MITRE ATT&CK framework to make it more specific and clear for those who want to operationalize it.
Entities of the project play role of data source for Atomic Threat Coverage framework, which will pick it up and process, generating markdown and confluence knowledge bases, ATT&CK Navigator profiles, Elasticsearch indexes and other analytics.
There are the next entities present:
- Hardening Policies — description of native OS mechanisms to be configured to mitigate specific Threat
- Mitigation Systems — description of systems to be deployed and configured to mitigate specific Threat
- Mitigation Policies — specific configurations of Mitigation Systems to mitigate specific Threat
These entities also connected to Detection and Response functions:
- Mitigation Systems provide specific Data required for Detection/Hunting and Incident Response
- Mitigation Systems provide ability to execute specific Actions required during Incident Response
We are going to highlight these connections to emphasize importance of some Mitigations over others.
Mostly, we are just tired of vendor's marketing materials, magic quadrants, security systems which are not just not working, but making everything worse. From our observation, sadly we have to admit that most of the companies in Information Security area seem to target only the income.
We are targeting security, as well as most of community projects.
That's why we would like to show and proof that some security systems are highly overestimated, while importance of basics, (i.e. hardening, which is not just cheap, but free) is extremely underestimated.
It was hard to do before MITRE ATT&CK had been released. Now we have detailed description of threats and can map specific Mitigations to them, showing what exactly needs to be done to protect systems against specific threats.
Data in the repository:
├── hardening_policies/
│ ├── HP_0001_windows_LocalAccountTokenFilterPolicy.yml
│ └── hardeningpolicies.yml.template
├── mitigation_policies/
│ ├── MP_0001_windows_asr_block_credential_stealing_from_lsass.yml
│ └── mitigation_policy.yml.template
└── mitigation_systems/
├── MS_0001_microsoft_defender_advanced_threat_protection.yml
└── mitigation_system.yml.template
Hardening Policy yaml (click to expand)
Automatically created confluence page (click to expand)
Automatically created markdown page (click to expand)
This entity used as a description of specific native OS mechanisms' configurations which could mitigate specific threat with mapping to MITRE ATT&CK.
Mitigation System yaml (click to expand)
Automatically created confluence page (click to expand)
Automatically created markdown page (click to expand)
This entity used as a description of System which can provide threat mitigation abilities via Mitigation Policies (specific configurations).
Mitigation Policy yaml (click to expand)
Automatically created confluence page (click to expand)
Automatically created markdown page (click to expand)
This entity used as a description of specific configurations which could be applied on Mitigation System to mitigate specific threat with mapping to MITRE ATT&CK.
- CIS benchmarks — best description of hardening strategies (for some OSes), but no mapping to MITRE ATT&CK. Once they will implement this mapping, we will integrate their analytics into the project
- ansible os-hardening — great project, but no mapping to MITRE ATT&CK. Once they will implement it, we will integrate them into the project
- Daniil Yugoslavskiy, @yugoslavskiy
- Would you like to become one? You are very welcome! Use CONTRIBUTING guidelines to contribute to the project.
See the LICENSE file.